IPTABLES TARGET EXTENSIONS
iptables can use extended target modules: the following are included in the standard distribution. BALANCE This allows you to DNAT connections in a round-robin way over a given range of destination addresses. --to-destination ipaddr-ipaddr Address range to round-robin over. CLASSIFY This module allows you to set the skb->priority value (and thus clas- sify the packet into a specific CBQ class). --set-class MAJOR:MINOR Set the major and minor class value. CLUSTERIP This module allows you to configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them. Connections are statically distributed between the nodes in this cluster. --new Create a new ClusterIP. You always have to set this on the first rule for a given ClusterIP. --hashmode mode Specify the hashing mode. Has to be one of sourceip, sourceip- sourceport, sourceip-sourceport-destport --clustermac mac Specify the ClusterIP MAC address. Has to be a link-layer mul- ticast address --total-nodes num Number of total nodes within this cluster. --local-node num Local node number within this cluster. --hash-init rnd Specify the random seed used for hash initialization. CONNMARK This module sets the netfilter mark value associated with a connection --set-mark mark[/mask] Set connection mark. If a mask is specified then only those bits set in the mask is modified. --save-mark [--mask mask] Copy the netfilter packet mark value to the connection mark. If a mask is specified then only those bits are copied. --restore-mark [--mask mask] Copy the connection mark value to the packet. If a mask is spec- ified then only those bits are copied. This is only valid in the mangle table. DNAT This target is only valid in the nat table, in the PREROUTING and OUT- PUT chains, and user-defined chains which are only called from those chains. It specifies that the destination address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option: --to-destination ipaddr[-ipaddr][:port-port] which can specify a single new destination IP address, an inclu- sive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies -p tcp or -p udp). If no port range is specified, then the destination port will never be modified. You can add several --to-destination options. If you specify more than one destination address, either via an address range or multiple --to-destination options, a simple round-robin (one after another in cycle) load balancing takes place between these adresses. DSCP This target allows to alter the value of the DSCP bits within the TOS header of the IPv4 packet. As this manipulates a packet, it can only be used in the mangle table. --set-dscp value Set the DSCP field to a numerical value (can be decimal or hex) --set-dscp-class class Set the DSCP field to a DiffServ class. ECN This target allows to selectively work around known ECN blackholes. It can only be used in the mangle table. --ecn-tcp-remove Remove all ECN bits from the TCP header. Of course, it can only be used in conjunction with -p tcp. LOG Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all match- ing packets (like most IP header fields) via the kernel log (where it can be read with dmesg or syslogd(8)). This is a "non-terminating tar- get", i.e. rule traversal continues at the next rule. So if you want to LOG the packets you refuse, use two separate rules with the same matching criteria, first using target LOG then DROP (or REJECT). --log-level level Level of logging (numeric or see syslog.conf(5)). --log-prefix prefix Prefix log messages with the specified prefix; up to 29 letters long, and useful for distinguishing messages in the logs. --log-tcp-sequence Log TCP sequence numbers. This is a security risk if the log is readable by users. --log-tcp-options Log options from the TCP packet header. --log-ip-options Log options from the IP packet header. --log-uid Log the userid of the process which generated the packet. MARK This is used to set the netfilter mark value associated with the packet. It is only valid in the mangle table. It can for example be used in conjunction with iproute2. --set-mark mark MASQUERADE This target is only valid in the nat table, in the POSTROUTING chain. It should only be used with dynamically assigned IP (dialup) connec- tions: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are forgotten when the interface goes down. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost any- way). It takes one option: --to-ports port[-port] This specifies a range of source ports to use, overriding the default SNAT source port-selection heuristics (see above). This is only valid if the rule also specifies -p tcp or -p udp. MIRROR This is an experimental demonstration target which inverts the source and destination fields in the IP header and retransmits the packet. It is only valid in the INPUT, FORWARD and PREROUTING chains, and user- defined chains which are only called from those chains. Note that the outgoing packets are NOT seen by any packet filtering chains, connec- tion tracking or NAT, to avoid loops and other problems. NETMAP This target allows you to statically map a whole network of addresses onto another network of addresses. It can only be used from rules in the nat table. --to address[/mask] Network address to map to. The resulting address will be con- structed in the following way: All ’one’ bits in the mask are filled in from the new ‘address’. All bits that are zero in the mask are filled in from the original address. NOTRACK This target disables connection tracking for all packets matching that rule. It can only be used in the raw table. REDIRECT This target is only valid in the nat table, in the PREROUTING and OUT- PUT chains, and user-defined chains which are only called from those chains. It alters the destination IP address to send the packet to the machine itself (locally-generated packets are mapped to the 127.0.0.1 address). It takes one option: --to-ports port[-port] This specifies a destination port or range of ports to use: without this, the destination port is never altered. This is only valid if the rule also specifies -p tcp or -p udp. REJECT This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to DROP so it is a terminating TAR- GET, ending rule traversal. This target is only valid in the INPUT, FORWARD and OUTPUT chains, and user-defined chains which are only called from those chains. The following option controls the nature of the error packet returned: --reject-with type The type given can be icmp-net-unreachable icmp-host-unreachable icmp-port-unreachable icmp-proto-unreachable icmp-net-prohibited icmp-host-prohibited or icmp-admin-prohibited (*) which return the appropriate ICMP error message (port-unreach- able is the default). The option tcp-reset can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking ident (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won’t accept your mail otherwise). (*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT ROUTE This is used to explicitly override the core network stack’s routing decision. mangle table. --oif ifname Route the packet through ‘ifname’ network interface --iif ifname Change the packet’s incoming interface to ‘ifname’ --gw IP_address Route the packet via this gateway --continue Behave like a non-terminating target and continue traversing the rules. Not valid in combination with ‘--iif’ or ‘--tee’ --tee Make a copy of the packet, and route that copy to the given des- tination. For the original, uncopied packet, behave like a non- terminating target and continue traversing the rules. Not valid in combination with ‘--iif’ or ‘--continue’ SET This modules adds and/or deletes entries from IP sets which can be defined by ipset(8). --add-set setname flag[,flag...] add the address(es)/port(s) of the packet to the sets --del-set setname flag[,flag...] delete the address(es)/port(s) of the packet from the sets, where flags are src and/or dst and there can be no more than six of them. The bindings to follow must previously be defined in order to use multilevel adding/deleting by the SET target. SNAT This target is only valid in the nat table, in the POSTROUTING chain. It specifies that the source address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option: --to-source ipaddr[-ipaddr][:port-port] which can specify a single new source IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies -p tcp or -p udp). If no port range is specified, then source ports below 512 will be mapped to other ports below 512: those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports will be mapped to 1024 or above. Where possible, no port alter- ation will occur. You can add several --to-source options. If you specify more than one source address, either via an address range or multiple --to-source options, a simple round-robin (one after another in cycle) takes place between these adresses. TCPMSS This target allows to alter the MSS value of TCP SYN packets, to con- trol the maximum size for that connection (usually limiting it to your outgoing interface’s MTU minus 40). Of course, it can only be used in conjunction with -p tcp. This target is used to overcome criminally braindead ISPs or servers which block ICMP Fragmentation Needed packets. The symptoms of this problem are that everything works fine from your Linux firewall/router, but machines behind it can never exchange large packets: 1) Web browsers connect, then hang with no data received. 2) Small mail works fine, but large emails hang. 3) ssh works fine, but scp hangs after initial handshaking. Workaround: activate this option and add a rule to your firewall con- figuration like: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ -j TCPMSS --clamp-mss-to-pmtu --set-mss value Explicitly set MSS option to specified value. --clamp-mss-to-pmtu Automatically clamp MSS value to (path_MTU - 40). These options are mutually exclusive. TOS This is used to set the 8-bit Type of Service field in the IP header. It is only valid in the mangle table. --set-tos tos You can use a numeric TOS values, or use iptables -j TOS -h to see the list of valid TOS names. TRACE This target has no options. It just turns on packet tracing for all packets that match this rule. TTL This is used to modify the IPv4 TTL header field. The TTL field deter- mines how many hops (routers) a packet can traverse until it’s time to live is exceeded. Setting or incrementing the TTL field can potentially be very danger- ous, so it should be avoided at any cost. Don't ever set or increment the value on packets that leave your local network! mangle table. --ttl-set value Set the TTL value to ‘value’. --ttl-dec value Decrement the TTL value ‘value’ times. --ttl-inc value Increment the TTL value ‘value’ times. ULOG This target provides userspace logging of matching packets. When this target is set for a rule, the Linux kernel will multicast this packet through a netlink socket. One or more userspace processes may then sub- scribe to various multicast groups and receive the packets. Like LOG, this is a "non-terminating target", i.e. rule traversal continues at the next rule. --ulog-nlgroup nlgroup This specifies the netlink group (1-32) to which the packet is sent. Default value is 1. --ulog-prefix prefix Prefix log messages with the specified prefix; up to 32 charac- ters long, and useful for distinguishing messages in the logs. --ulog-cprange size Number of bytes to be copied to userspace. A value of 0 always copies the entire packet, regardless of its size. Default is 0. --ulog-qthreshold size Number of packet to queue inside kernel. Setting this value to, e.g. 10 accumulates ten packets inside the kernel and transmits them as one netlink multipart message to userspace. Default is 1 (for backwards compatibility).